Bundled js modules are vulnerable

[arothian]

Hello 👋🏻

There are included JS dependencies in this gem that have published CVEs. The items in question are included here.

In particular, the jquery-ui bundled is v1.11.4, which is vulnerable to CVE-2016-7103

The impact of this is that consumers of capybara might see failures in static analysis of packages. These dependencies should be updated or excluded from the gemspec.

Meta

Capybara Version: latest

[twalpole]

The packages are included for third party driver authors to be able to be run Capybaras tests against their drivers, and will not be excluded from the gemspec. These files are not used by end users of Capybara, and are easily excludable from any static analysis tool. We will look at updating the dependencies but I don't consider this a valid security concern.

[Jackiesan]

Hello I had the same exact question. Thanks for creating a pull request to update the dependency. @twalpole Is there anything blocking pull request #2503 from being merged?

[twalpole]

@Jackiesan Time to figure out why the visibility behavior changes when using the new versions. Assumption is that it shouldn't have any effect since jQuery isn't used in the visibility calculations